All Products
Search

This Product

    Managed Service for OpenTelemetry:Use RAM users to manage permissions

    Document Center

    Managed Service for OpenTelemetry:Use RAM users to manage permissions

    Last Updated:Mar 27, 2025

    With RAM-RAM RAM users, you can split permissions, grant different permissions to RAM users as needed, and avoid security risks caused by exposing Alibaba Cloud account keys.

    Background information

    For security purposes, you can create RAM users for your Alibaba Cloud account and grant different permissions to these RAM users as needed. This way, you can enable RAM users to perform their own duties without exposing the key of your Alibaba Cloud account. In this topic, if Enterprise A wants to allow some employees to handle routine O&M tasks, Enterprise A can create RAM users and grant the corresponding permissions to the RAM users. After that, employees can use these RAM users to log on to the console or call API operations.

    The following table describes the system policies that are supported by Tracing Analysis.

    Policy

    Type

    Description

    AliyunTracingAnalysisFullAccess

    System policy

    Full permissions on Managed Service for OpenTelemetry

    AliyunTracingAnalysisReadOnlyAccess

    System policy

    Read-only permissions on Managed Service for OpenTelemetry

    Procedure

    1. Create a RAM user.

    2. Grant permissions to the RAM user.

    What to do next

    After you create a RAM user by using an Alibaba Cloud account, you can share the logon name and password or AccessKey pair of the RAM user with other users. The users can perform the following steps to log on to the Alibaba Cloud Management Console or call API operations as the RAM user.

    Log on to the Alibaba Cloud Management Console

    1. Log on to the Alibaba Cloud Management Console as a RAM user.

    2. On the RAM User Logon page, enter the username of the RAM user and click Next.

      image

      • Logon name 1: default domain name. The format of the logon name of the RAM user is <UserName>@<AccountAlias>.onaliyun.com, such as username@company-alias.onaliyun.com.

        Note

        <UserName> indicates the username of the RAM user. <AccountAlias>.onaliyun.com indicates the default domain name. For more information, see Terms and View and modify the default domain name.

      • Logon name 2: the account alias. The format of the logon name of the RAM user is <UserName>@<AccountAlias>, such as username@company-alias.

        Note

        <UserName> indicates the username of the RAM user. <AccountAlias> indicates the account alias. For more information, see Terms and View and modify the default domain name.

      • Logon name 3: the domain alias. If you configured a domain alias, you can use this logon name. The format of the logon name of the RAM user is <UserName>@<DomainAlias>, such as username@example.com.

        Note

        <UserName> indicates the username of the RAM user. <DomainAlias> indicates the domain alias. For more information, see Terms and Create and verify a domain alias.

    3. Enter the logon password and click Log On.

    4. Optional. If multi-factor authentication (MFA) is enabled, pass the authentication.

    Use the AccessKey pair of the RAM user to call API operations

    When you call an API operation, specify the AccessKey ID and AccessKey secret of the RAM user in the code.